Kinda want to keep this short. My Asus WRT router running Merlin firmware is currently handling my VPN connections & routing.
There is some part of me thinking if my providers servers go down my router may fallback to WAN, should I run an additional VPN connection on the device/server itself just in case?
It’s been about a year with this setup however this potential issue has been irking me.
Edit: Kill-switch is disabled on the router’s tunnels as it appears to be bugged in two ways. 1) any manual DNS settings get disregarded network-wide 2) it kills all network connections and not just the devices affected.
I run a split environment. Main router is set up ‘normally’ with what other people in the house and visitors would expect.
Attached to that is a Pi running an OpenVPN client and a hostapd server that broadcasts a separate WiFi network. Iptables on the Pi are set to only ever allow Internet traffic through the VPN as a killswitch (except for OpenVPN, to prevent a chicken-egg situation), and any wifi clients connected via hostapd are routed through it.
A script occasionally changes the VPN endpoint to keep it interesting. This Pi also acts as a qbitorrent client that stores downloads to a local NAS.
It’s a best of both setup that has been stable for over 5 years now.